The Hacker News — Cyber Security, Hacking, Technology News

An infamous Russian-linked cyber-espionage group has been found re-using the same leaked NSA hacking tool that was deployed in the WannaCry and NotPetya outbreaks—this time to target Wi-Fi networks to spy on hotel guests in several European countries.

Security researchers at FireEye have uncovered an ongoing campaign that remotely steals credentials from high-value guests using Wi-Fi networks at European hotels and attributed it to the Fancy Bear hacking group.

Fancy Bear—also known as APT28, Sofacy, Sednit, and Pawn Storm—has been operating since at least 2007 and also been accused of hacking the Democratic National Committee (DNC) and Clinton Campaign in an attempt to influence the U.S. presidential election.

The newly-discovered campaign is also exploiting the Windows SMB exploit (CVE-2017-0143), called EternalBlue, which was one of many exploits allegedly used by the NSA for surveillance and leaked by the Shadow Brokers in April.

EternalBlue is a security vulnerability which leverages a version of Windows' Server Message Block (SMB) version 1 networking protocol to laterally spread across networks and also allowed the WannaCry and Petya ransomware to spread across the world quickly.

Since the EternalBlue code is available for anyone to use, cyber criminals are widely trying to use the exploit to make their malware more powerful.

Just last week, a new version of credential stealing TrickBot banking Trojan was found leveraging SMB to spread locally across networks, though the trojan was not leveraging EternalBlue at that time.

However, researchers have now found someone deploying the exploit to upgrade their attack.

"To spread through the hospitality company's network, APT28 used a version of the EternalBlue SMB exploit," FireEye researchers write. "This is the first time we have seen APT28 incorporate this exploit into their intrusions."

Researchers have seen ongoing attacks targeting a number of companies in the hospitality sector, including hotels in at least seven countries in Europe and one Middle Eastern country.

Here's How the Attack is Carried Out

The attacks began with a spear phishing email sent to one of the hotel employees. The email contains a malicious document named "Hotel_Reservation_Form.doc," which uses macros to decode and deploy GameFish, malware known to be used by Fancy Bear.

Once installed on the targeted hotel's network, GameFish uses the EternalBlue SMB exploit to laterally spread across the hotel network and find systems that control both guest and internal Wi-Fi networks.

Once under control, the malware deploys Responder, an open source penetration testing tool created by Laurent Gaffie of SpiderLabs, for NetBIOS Name Service (NBT-NS) poisoning in order to steal credentials sent over the wireless network.

While the hacking group carried out the attack against the hotel network, researchers believe that the group could also directly target "hotel guests of interest"—generally business and government personnel who travel in a foreign country.

The researchers revealed one such incident that occurred in 2016 where Fancy Bear accessed the computer and Outlook Web Access (OWA) account of a guest staying at a hotel in Europe, 12 hours after victim connected to the hotel’s Wi-Fi network.

This is not the only attack that apparently aimed at guests of hotels. South Korea-nexus Fallout Team (also known as DarkHotel) has previously carried out such attacks against Asian hotels to steal information from senior executives from large global companies during their business trips.

Duqu 2.0 malware also found targeting the WiFi networks of European hotels used by participants in the Iranian nuclear negotiations. Also, high-profile people visiting Russia and China may have their laptops and other electronic devices accessed.

The easiest way to protect yourself is to avoid connecting to hotel Wi-Fi networks or any other public or untrusted networks, and instead, use your mobile device hotspot to get access to the Internet.

There is no end to users problem when it comes to security. Everything is easily hackable — from home wireless routers to the large web servers that leak users' personal data into the world in one shot.

If you love to travel and move hotels to hotels, then you might be dependent on free Wi-Fi network to access the Internet. However, next time you need to be extra cautious before connecting to Hotel's Wi-Fi network, as it may expose you to hackers.

Security researchers have unearthed a critical flaw in routers that many hotel chains depend on for distributing Wi-Fi networks.

The security vulnerability could allow a hacker to infect guests with malware, steal or monitor personal data sent over the network, and even gain access to the hotel’s keycard systems and reservation.

HACKING GUEST WIFI ROUTER

Several models of InnGate routers manufactured by ANTlabs, a Singapore firm, have a security weakness in the authentication mechanism of the firmware.

The security vulnerability (CVE-2015-0932), discovered by the security firm Cylance, gives hackers direct access to the root file system of ANTlabs's InnGate devices.

With root access, hackers could be able to read or write any files from or to the devices’ file system respectively, including data that could be used to infect the devices of Wi-Fi users.

Researchers have found nearly 277 hotels, convention centers, and data centers across 29 countries that are affected by this security vulnerability. Although, the number could be much larger as the flaw has potential to impact Millions of users who gets on the hotel’s network for free Wi-Fi access.

However, the security researchers found more than 100 vulnerable devices located in the United States, 35 devices in Singapore, 16 in the UK, and 11 in the United Arab Emirates.

Justin W. Clarke, a senior security researcher of the Cylance SPEAR (Sophisticated Penetration Exploitation and Research) team, says the vulnerability also gives the attacker access to a computer owned by the operating organization.

THE VULNERABILITY GETS WORSE

In some cases, researchers found the InnGate devices were configured to communicate with a Property Management Systems (PMS). This could also be leveraged to gain deeper access into a hotel's business network, allowing a hacker to identify guests and upcoming guests at a hotel and their room number.

Moreover, PMS is often integrated with the phone system, POS (point-of-sale) system for processing credit card transactions, as well as electronic keycard system for accessing doors to guest rooms at hotels.

So, this vulnerability could also potentially allow an attacker to access and exploit these hotel's systems.

"In cases where an (ANTlabs) InnGate device stores credentials to the PMS, an attacker could potentially gain full access to the PMS (Property Management Systems) itself," the researchers wrote in a blog post published Thursday.

HOW THE VULNERABILITY WORKS?

The flaw lies in an unauthenticated Rsync daemon running on TCP 873 used by the ANTlabs devices. The Rsync daemon is an extraordinarily versatile file copying tool widely used to backup file systems as it can automatically copy files from one location to another.

The Rsync daemon can be password-protected, but the ANTlabs device that uses it requires no authentication.

Once hackers have connected to the Rsync daemon, they are then able to read and/or write to the file system of the Linux-based operating system without any restrictions.

Due the widespread nature of the vulnerability, ANTlabs has rolled out a patch addressing CVE-2015-0932 with an alert about the critical flaw being issued by US-CERT.

This isn't first time when researchers have discovered this kind of attack targeting guests at Hotels, late last year Kaspersky Labs uncovered a hacking campaign, dubbed DarkHotel, targeting guests at five-star hotels in Asia and the US by subverting their Wi-Fi system.